Authenticator record locations

When an authenticator is assigned to a user, it is moved to the same organizational unit as the user account to which it is assigned.

When a user account is moved to an organizational unit, all assigned authenticator records will also be moved.

An authenticator record assigned to a user cannot be moved, the user account must be moved. Unassigned authenticator records may be allocated to various places in the organizational unit structure:

Master domain

During installation, a default domain is created, i.e. the master domain. By default, all new user accounts and authenticators are created in or imported to the master domain, and may then be moved to other domains and organizational units.

Organizational units

If an organizational unit structure is used in the database, authenticators can be moved either to the same organizational units where the user accounts to which they will be assigned are located, or into a few key organizational units in the hierarchy where they may be assigned to users in lower-level organizational units.

When looking for an available authenticator record to assign to a user, OneSpan Authentication Server will first look in the same organizational unit as the specific user account if the user account belongs to an organizational unit. The Search Upwards in Organizational Unit hierarchy option allows OneSpan Authentication Server to search in parent organizational units and the authenticator pool container. This option can be set in the policy for system searches—i.e. auto-assignment and self-assignment (see auto-assignment (Overview) and self-assignment (Overview))—or at the time of the search for manual assignment.

OneSpan Authentication Server will always find or assign the closest available authenticator record to the selected user record(s).

If an authenticator is assigned to a user account that does not belong to an organizational unit, OneSpan Authentication Server will look for an available authenticator record that does not belong to an organizational unit either, i.e. for an available record stored directly in the domain.

Typical authenticator location models

Domain root

Authenticator records may be stored in the domain root while unassigned.

This option allows a centralized point of access for assignment of authenticator records. It requires less calculation and high-level administration, because the authenticator records are all stored in one area and there is no need to manually move records or calculate the exact number of authenticators required for each organizational unit or group of units. Administrators must belong to the domain only (not an organizational unit) to assign authenticators from the domain root.

Authenticator record location – Domain root

Figure: Authenticator record location – Domain root

In the example illustrated in Figure: Authenticator record location – Domain root, OneSpan Authentication Server searches upwards through the organizational unit structure for available authenticator records to assign to a user account in the organizational unit B1. Because no available authenticator records are found in B1, it searches in B, then in the domain root.

The administrator account that is used to manually assigning the authenticator records must be located in the domain root (no organizational unit) for this model to work successfully.

The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly.

This scenario is simplified if no organizational unit structure is used in the database. User accounts and authenticator records may all be stored in the master domain. In that case, the Search Upwards in Organizational Unit hierarchy option is not required.

Parent organizational units

Unassigned authenticator records can be kept in key organizational units, and made available to their lower-level organizational units.

Authenticator record location – Parent organizational unit

Figure: Authenticator record location – Parent organizational unit

In the example illustrated in Figure: Authenticator record location – Parent organizational unit, OneSpan Authentication Server can search in the parent organizational unit for available authenticator records.

The administrator account that is used to manually assigning the authenticator records must belong to the parent organizational unit.

The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly.

Individual organizational units

Authenticator records can be loaded or moved into each organizational unit where and when they are required. If all authenticators in the organizational unit are assigned, more authenticator records must be moved to it manually by a domain administrator before they can be assigned.

Authenticator record location – Individual organizational units

Figure: Authenticator record location – Individual organizational units

In the example illustrated in Figure: Authenticator record location – Individual organizational units, unassigned authenticator records are stored in the same organizational units in which they will be assigned.

Administrator accounts belonging to the organizational units A1 and A2 have administration privileges in their own organizational unit only.

The Search Upwards in Organizational Unit hierarchy option is not required for this model.

Combination of models

Authenticator records can be stored in the master domain as well as some or all organizational units. If no available authenticator records are found in the organizational unit, and the Search Upwards in Organization Unit hierarchy option is enabled, then OneSpan Authentication Server will search upwards to the domain root and search in the authenticator pool for an available, unassigned authenticator record.